Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

active directory - allow users to login to OWA and Sharepoint site only, not interactive on desktop PC

Posted on 2014-12-09
3
Medium Priority
?
781 Views
Last Modified: 2014-12-10
Hi there
So we have a requirement to allow certain users to login to their email via OWA and to a Sharepoint site but they should not be permitted to logon to the network in the office on a PC and therefore no access to shared drives etc.
Is there a way to do this in group policy or another way?
many thanks
0
Comment
Question by:stack888
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40491476
Have you tried setting their "Log on to" in the AD user properties?  I'm not sure that works, though, I seem to recall in the past admins having a problem with this method.  Another possibility would be to create a special global group with restricted rights and then give that group only the necessary rights to log on to the Sharepoint and OWA sites. For Sharepoint, they would also need the necessary NTFS permissions to access any documents or other services and/or storage areas on your network to use the data that is being served through the Sharepoint site.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 40492032
Log on to tab in AD will definitely work

You need to create any fake computer account in AD and you need to edit properties of all required users and add this computer account, so that they can't logon to any other computers locally
In addition to above you need to restrict them on Remote Desktop services profile tab as well
U need to select check box "deny this user to logon to remote desktop session host server

Lastly, the below solution should work \ will work 100%
1st create one security group and add all required users to that group
At domain level create new group policy and in that policy enable deny logon locally and deny logon thru terminal services user rights setting and add above group there
These users will not be able to logon to any servers \ desktops trough RDP \ locally

Test any of above solution prior to deploy full flesh

Mahesh
0
 
LVL 2

Author Closing Comment

by:stack888
ID: 40492361
Mahesh, i ended up using pretty much your solution.
thanks!

This is what i did:

Create a group "Users Denied Interactive Logon", and make the relevant users a member.
Create a Group Policy Object (GPO) linked at the root of the domain called "Deny Interactive Logon"
In the "User Rights Assignment" subnode of the "Local Policies" subnode of the "Security Settings" subnode of the "Windows Settings" subnode of the "Computer Configuration" node I would add "Deny log on locally" permission for "Users Denied Interactive Logon" group.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question